Specification 

Title of the Invention 

A Cryptosystem Using Multivariate Polynomials 

Field of the Invention 

The present invention relates to a new cryptosystem and cryptographic 
communication that use the difficulty in solving multivariable polynomials. 

trior Art 

Cryptosystems using polynomials in multivariables have been proposed, for 
Instance, by Matsumoto et al in "Public Quadratic Polynomial • tuples for Efficient 
Signature Verification and Message-encryption", Prop. Of EUROCRYPT 88, 
Springer Verlag, VoL20, and p.p.419-453. In those cryptosystems, elements in 
iGalois fields are expressed in polynomial forms, and the messages, or the plaintext, 
are encrypted into coefficients of the polynomials. When each element of a message 
is considered a variable or an indeterminate, the message is considered 
multivariables, and respective degree's coefficients of a polinomial give new 
polynomials in multivariables. However, the security of such cryptosystems has not 
been clear. The present inventor has been aiming at enhancing the security of 
multivariable polynomial cryptosystems, and the resultant is the present invention. 

Summary of the Invention 

The object of the invention is to provide a novel and strong cryptosystem 
that uses multivariable polynomials and to provide a decryption method and a 
decryptor for decrypting enciphered text according to the cryptosystem. 

- 1 - 




Further object of the invention is to provide recording medium and 
propagated signal storing the decryption program. 

In the present cryptosystem, we use multivariable polinomials in finite 
extensions of a prime field. We use for instance the following three elements: 

1 ) Multiplying messages by polinomials and encrypting respective elements in 
the message into coefficients of the resultant new polinomials; 

2) Adding noise to the messages and then applying an element in the 
symmetric group for scrambling the noise and the messages; and 

! ) Multiplying the messages by elements in the finite extension fields. 

Practically enough security of the resultant cyphertext is obtained, if the 
."above addition of noise to the messages and the subsequent permutation by the 
element in the symmetric group, and the above multiplication by the elements in the 
finite extension fields such that in respective degrees of the resultant polinomial in 
ithe extension fields, the messages and the noise are encrypted in a complex manner. 
-For practical encryption, the encryption algorithm may be kept secret to persons 
encrypting their messages, and they can encrypt their messages simply by 
substituting their messages for indeterminates of polinomials. Thus we can consider 
the cyphertext polinomials of messages, and the cyphertext is highly secure. For 
instance, when we multiply our messages by polinomials in finite extension fields 
and express the products in polinomial forms in the extension fields, the coefficients 
of the product polinomials are given by new polinomials depending upon both the 
messages and the noise in a complex manner. However, the security for the 
cryptosystems using only the multiplication of the messages and the polinomials has 
not been confirmed. 

When we add to the above multivariable polinomial cryptosystem, the 
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combination with the noise and the subsequent scrambling, the security is remarkably 
enhanced. Further, when we add the multiplication by the elements in the extension 
fields after the scrambling between the messages and the noise, the security is further 
enhanced. Thus our improved cryptosystem is derived. According to the present 
cryptosystem, the characteristic features of the system do not appear during the 
encryption procedure. The features appear through decryption procedure, and 
procedures corresponding to the encryption algorithm become necessary during the 
decryption. Therefore, the decryption method and decryption device will be 
necessary for the practical use of the cryptosystem. 

| According to the invention, messages are considered elements in finite 

^tension fields of prime fields. Hereinafter, finite extension fields are sometimes 
lulled extension fields, fields, etc. The cyphertext, obtained by substituting the 
lijnessages for indeterminates of polinomials or by the evaluation of the polinomials at 
jthe messages, is multiplied by a first secret key (an element in the finite extension 
fields), and permutation by a second secret key in the elements of the cyphertext is 
performed such that the message (plaintext) corresponding parts and the noise will 
be separated. For breaking the present cryptosystem, both the first and second secret 
keys are necessary, and their candidates are very many. Further, for performing the 
multiplication by the first secret key, it is necessary to know the irreducible 
polinomials that have generated the finite extensions. Therefore, the present 
cryptosystem is highly secure. 

Preferably, the first secret key is selected from powers of primitive roots of 
primitive polinomials in the finite extensions so that wide variety is possible for the 
first secret key with changes in the indices of the powers for the higher security. 
Further, multiplication by the powers of the primitive roots is easily done, and the 
decryption becomes easier. 
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Preferably, the message corresponding parts separated by the second secret 
key is further multiplied by a third secret key comprising a secret polinomial. Thus, 
for the decryption, multiplication by the first secret key, the permutation by the 
second secret key, and the multiplication by the third secret key are necessary, and if 
the third secret key would be stolen, irreducible polinomials used for the generation 
of the finite extension before adding the noise is necessary for the multiplication by 
the third secret key. Therefore, the security of the present system is very high. 

Most preferably, after the multiplication by the third secret key, the power 
root of the product is calculated by a fourth secret key in such a way that the product 
r: js raised to an adequate degree's power. Thus, for the decryption, the multiplication 
Iby the first secret key, the permutation by the second secret key, the multiplication 
jj&y the third secret key of a polinomial, and the power root operation by the fourth 
^secret key are necessary. Without the fourth secret key, the cyphertext can be 
^decrypted just into complex polinomials of respective elements in the messages, so 
fthe security of the present cryptosystem is further enhanced. 

According to the present cryptosystem, the decryption program may for 
instance be distributed through information networks, as CD-ROMs and IC cards. 

Brief Description of the Drawing 

Fig. 1 is a block diagram showing an encryptor and a decryptor, and their 
interconnection according to the embodiment of the invention. 

Fig. 2 is a flowchart showing an encryption algorithm in the embodiment. 

Fig. 3 is a flowchart showing a practical process for the encryption in the 
embodiment. 

Fig. 4 is a flowchart showing a decryption algorithm in the embodiment. 
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Fig. 5 shows an example of the distribution of the decryption program 
through an information network in the embodiment. 

Fig. 6 is a block diagram showing an encryption and decryption device 
according to the embodiment. 

The Best Embodiment 

Figs. 1-6 show the best embodiment. First, major terms in the 
embodiment are described. GF(2 k ) and GF(2 n ) show Galois fields, respectfully. 
The prime subfields contained in the Galois fields have characteristic of a prime 
^umber or 0, and when the characteristic is 0, the prime field is the field Q of 
Rationale numbers. While the characteristic of the prime fields may be a prime 
dumber or 0, we prefer 2 for easier computation in digital information processing 
devices. The Galois fields GF(2 k ) and GF(2 n ) are examples of the finite 
I extensions of the prime field of characteristic 2. The value of k is, for instance, 
llmong 64 and 16384, and we assume k 1024 in the embodiment. The value of n is 
greater than that of k, for instance, about 2k, preferably 128 to 32768, and we 
assume n 2048 in the embodiment. 

F(X) is a primitive polynomial in the Galois field GF(2 k ) and has 
degree k. Similarly, H(X) is a primitive polynomial in the Galois field GF(2 n ) 
and has degree n. For making the decryption easier, we select both F(x) and H 
(X) from primitive polynomials in the respective extension fields. However, F(X) 
may be an irreducible polynomial in the Galois field GF( 2 k ). Similarly, H(X) 
may be an irreducible polynomial in the Galois field GF( 2 n ). a is one of the roots 
of the polynomial F(x), and so F( a ) =0. J is a primitive root of H(X), and so 
H( 7 )=0. X is a natural number, and J x is an non-zero element of the Galois 
field GF(2 n ). 
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M means a message and is 1024 bit data in the embodiment. We consider 
M a vector comprising 1024 elements (ml - mk), where k is for instance 1024, and 
consider also M an element of the Galois field GF( 2 k ). In this specification, the set 
N of natural numbers comprises positive integers and 0. For the encryption, we use 
t pieces of polynomials, j3 1(a), j8 2( a ), j3 t(a), all of which are 
elements in the Galois field GF(2 k ), and transform the message M into cyphertext at 
the first stage M( a) by the following equation { l). 

M(a) =M/? l(a)*M/? 2(a)— M J3 t( a ) modF(a) (l) 
We call the resultant M( a ) the message corresponding part and denote the product 
Jof /3 l( a: )•••/? t{a) simply by /?. The operation by the equation (l) is 
performed in the Galois field GF(2 k ), and since it is obvious that modular 
r operations are performed, when obvious in context, we will sometimes omit the 
-notification for modular operations. 

A noise r( a ) of degree (n - k) is randomly produced and combined, 
for instance, at the end of the message corresponding part M( a ). The degree of 
|he noise r( a ) is for instance 1024, and obviously the noise r( a ) is for instance 
1024 bit long. An element in the symmetric group (the permutation group) is 
applied to the message corresponding part and the noise, and the elements of them 
are completely scrambled. We call the resultant F which has order n and is an 
element in the Galois field GF(2 n ). We denote the above mapping from M( a ) to 
r by $ -1 nk and denote the inverse mapping of 0 ~ ] nk by 0 nk that will be used 
during the decryption. We call the transformation between M( a ) and T 
substitution without referring to encryption or decryption, since whether it means 
encryption or decryption will be obvious in context. 

We multiply T by 7 x and get a resultant polinomial C. The respective 
coefficients of the polynomial C is by themselves polynomials depending upon both 
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the noise and the message corresponding part in a complex manner. We sometimes 
write the polynomial C as a set of coefficients Ci of respective degrees of C so that 
C={Ci(M) }. C is the final cyphertext. For emphasizing that C is a function of the 
message M, we will sometimes write the cyphertext text Cas C(M). 

The above encryption algorithm may be performed more simply without 
reference to the encryption algorithm. Since C(x)={Ci(X)} is disclosed as the 
public key, a sender substitutes M for X in the public key and thus gets the 
cyphertext Ci(M)(i=l - n). Each element of the cyphertext Ci(M) is a polynomial 
in the elements (ml - mk) in the message M. 

O The secret keys are F(X), H(X), x (or J x ), 0 nk, J3 , and t which is a 

^positive integer. /3 is represented by the following equation (2), 

J: /? = /? 1(a) • /? 2(a) j8 t(a) (2) 

O We select y from the primitive roots of H(X), so any non-zero elements 

lin the Galois field GF(2 n ) can be represented as y ~ x , and therefore the 
llhultiplication by J * x is easily performed. Let f be a natural number (index) such 
ifiiat M tf =M. If t and 2 k - 1 are mutually prime, there exists such a natural number 
f. Therefore, gcd(t, 2 k - l) ? the greatest common divisor between t and 2 k - 1 ? is 
preferably 1. 

In the following, networks mean information networks, and digital 
information processing devices mean computers and cryptographic communication 
chips having logic circuits therein. Recording media mean those retrievable by 
computers and decryption chips, and the propagating signals mean those running 
through networks, etc. 

Fig. 1 shows an encryptor 4, a decryptor 6, and the interconnection 
between them through a network such as the Internet. The encryptor 4 receives the 
public key C(X) from a public key memory 8 provided in the decryptor 6 and 
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encrypts the message M produced by a plaintext generator 2 provided in the 
encryptor by the public key. The message M is an element in the Galois field GF 
(2 k ), composed of (ml,m2,— ,mk), and is k bit long. For the encryption of the 
message M into the cyphertext C(M) with the public key C(x), the message M is 
substituted for X in each element Ci(X)(i=l - n) in the public key C(x) of 
degree n. The resultant cyphertext C(M) is an element in the Galois field GF(2 n ). 

In the decryptor 6, a secret key memory 10 is provided for storing the 
primitive polynomial F(X) in the Galois field GF(2 k ), the primitive polynomial H 
(X) in the Galois field GF(2 n ), the value of the primitive root y in the Galois 
# eld GF(2 n ), if plural primitive roots are present, the Value x in y x , the 
permutation $ nk in the symmetric group for separating the message corresponding 
■ part and the noise, the polynomial (3 used for the multiplication by the equation 
: 1 1 ), and t, the index of the power of M, etc. 

Multiplication means 12 multiplies the cyphertext C(M) by J x in the 
fiJalois field GF(2 n ), and C(M) is transformed into Y C(M) y x . Substitution 
Jieans 14 applies O nk in the symmetric group to T so that the message 
corresponding part M( a ) and the noise are separated from F . Second 
multiplication means 16 multiplies the message corresponding part M( a ) by the 
inverse /J 1 of the polynomial (3 such that M* =M( a)/3 A . Then, M x is further 
raised to the f-th power, and since M tf =M, the plaintext is obtained. When t and 2 k 
- 1 are mutually prime, the above f, a positive integer, is present. 

Fig. 2 shows a practical encryption algorithm. The message M, for 
instance 1024 bit long and may already include some noise in it, is deemed as an 
element in the Galois field GF(2 k ), and processed by the equation (l) so that the 
message corresponding part M( a ) is resultant. 

M{a)=M (3 1(a) • M J3 2(a) m (3 t( a ) mod F( a ) (l) 
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The message corresponding part M( a ) is a polynomial of degree at most k - 1, 
and in each coefficient of the polinomial, the elements ml - mk in the message M 
are scrambled in a complex manner. The coefficients of the polinomial are 
respectively deemed as polynomials of degree t in variables ml - mk. When the 
message corresponding part M( a ) is used as the final ciphertext, the security has 
not been confirmed. Therefore we enhance the security as follows. 

The message corresponding part M( a ) is scrambled with the noise r 
(a) of degree n - k. For instance, first the noise r( a ) is adjoined at the end of 
the message corresponding part M( a ), and then the element O ^nk in the 

Symmetric group is applied to them. Thus they are transformed into the element T 

if, in the Galois field GF( 2 n ). 

;I Next, T is multiplied by 7 x , and the elements in the message 

Corresponding part M( a ) and the elements in the noise r( a ) are combined in a 
.complex manner in each coefficient of the polynomial C in the Galois field GF( 2 n ). 
uHere 7 is a primitive root of the primitive polynomial H(X), and hence any 
Elements not 0 in the Galois field GF( 2 n ) may be expressed as 7 x for some x. 
The resultant cyphertext C is very secure. 

In the embodiment, three steps have been performed in the following 
order: First the operation by the equation ( 1 ), then the addition of the noise r( a ) 
and the permutation (scramble), and finally the multiplication by 7 x . However, 
they may be performed in a different order. For instance, first the scramble between 
the message M and the noise r may be done, and then, the multiplication by the 
polynomial and the other multiplication by the power of the primitive root may be 
done. Alternatively, first the multiplication by the power of the primitive root may 
be done, then the scramble with the noise r may be done, and finally the 
multiplication by the polynomial may be done. Moreover, since the present 
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cryptosystem is very secure, the addition of and permutation with the noise and just 
one of the group comprising the first multiplication by the polynomial and the 
second multiplication by the power of the primitive roots may be performed. 

While Fig. 2 shows the encryption algorithm in detail, practically the 
sender does not need to know the encryption algorithm. In the practical encryption, 
as shown in Fig. 3, the public key C(X) comprising elements Ci(X)(i=l - n) is 
disclosed, where the indeterminate X has the same data length to the message M. 
When a sender substitutes the message M for the indeterminate X, then the 
cyphertext C(M) is obtained. Therefore, the encryption is very easily performed, 
^nd the public key C(X) is a strong one-way function. 

Fig- 4 shows the decryption algorithm. The cyphertext C(M) received 
; % the decryptor 6 is multiplied by y x , and thus Y is obtained. Since J " x is an 
Element in the Galois field GF( 2 n ), the multiplication is easily performed. Next, 
mapping O nk, which is the inverse of O ^nk already used for the addition of the 
jSoise and the subsequent scrambling, is applied to Y so that T is transformed into 
ttie message corresponding part M( a ) and the noise r( a ) separately. The noise 
is discarded. During this step, the orders of the Galois fields decrease from 2n to 
2k. Next, the message corresponding part M( a ) is multiplied by the inverse j3 1 
of the product of the t-pieces polynomials fi l(a) - /3 t( a ) in the equation 
(l), and hence M( a ) is transformed into Mt. If t and 2 k - 1 are mutually prime, 
there exists some natural number f such that M tf =M. As a result, the message M is 
decrypted. 

Fig. 5 shows the distribution of decryption programs through a network 24. 
A distribution station is denoted by 20, an a recipient station is denoted by 22. The 
recipient station 22 requires to a distribution station 20 to send the decryption 
program, and the distribution station 20 sends the decryption program, the public 
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key, and secret keys as a signal propagating through the network 24 to the recipient 
station 22. The decryption program distributed is one for performing the algorithm 
in Fig. 4. 

Fig. 6 shows an example of encryption and decryption device 30. An I/O 
32 communicates with the outside or is connected to an outside computer and so on. 

A public key memory 34 stores the public key C(X) and discloses the key to the 
public. Multiplication means 36 stores the value of y ~ x and multiplies the 
cyphertext by J ~ x . Substitution means 38 stores the element in the symmetric 
group for transforming Y into the message corresponding part M( a ), and thus 
^transforms V into M( a ). Second multiplication means 40 stores the polynomial 
~ l and multiplies the message corresponding part M( a ) by the polynomial j3~ l 
Such that Mt is obtained. The resultant M l is further raised to the f-th power by 
Raising means 42 and decrypted to the original message M. Encrypting means 44 
[encrypts the message M produced in the encryption and decryption device 30. 
j These means 36 - 44 may easily be realized by a combination of the registers and 
rfte logic gates and so on, or by means of computer software installed into an 
adequate computer. 

While the embodiment has been described with an example for the public 
key cryptosystem, the cryptosystem according to the invention may be designed as a 
secret key cry ptosy stems. In that case, if the secret keys such as the primitive 
polynomials, the value for x, the element <E> nk in the symmetric group for the 
separation between the message corresponding part and the noise, the polynomial (3 , 
and the value of t, and the length of M are renewed properly, the longevity of the 
cryptosystem is enhanced. While the embodiment has shown the specific example, 
alterations may be performed. For instance, the secret keys themselves do not need 
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to be stored necessarily, and other data equivalent to the secret keys or those can be 
transformed into the secret keys may be stored in place of the secret keys. 
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